Pages:
Author

Topic: New SCRYPT! Stratum Flaw found (Read 4929 times)

sr. member
Activity: 448
Merit: 250
June 03, 2013, 06:34:09 PM
#22
thanks everyone, always appreciated!
sr. member
Activity: 252
Merit: 250
June 03, 2013, 06:05:55 PM
#21
defiantly

I stopped reading here.

Thanks for your wonderful contribution to this discussion.
sr. member
Activity: 332
Merit: 250
June 03, 2013, 06:02:56 PM
#20
Awesome work Pooler.  Once again you have done an outstanding job.

To be clear, WeMineLTC is not affected by this bug.  We DO NOT use the viperaus fork, our stratum backend is completely custom.  We had our stratum server working more than a month before viperaus scrypt stratum software was working.  I have read ppl saying we use viperaus several times and this is just not true.

As for our exploit that we announced on 5/29, after we found the exploit we tested the viperaus code and confirmed it had the same bug and we wanted pools to know about it, this seems to have ppl thinking that is the code we use.



As mentioned in my post. The top 5 pools all run custom stratum code so this bug was not affecting them. I am sure other pools are also running custom code but i have not checked or asked them. Never the less this fix will sure save many pool operators a lot of heartache.

Thanks again to all who were involved!
sr. member
Activity: 332
Merit: 250
June 03, 2013, 05:59:03 PM
#19
https://github.com/viperaus/stratum-mining/pull/4
Yet again, pooler saves the day for dozens of other scrypt pools.

I hope you other pools appreciate his work.  Please consider donating to him.  LTCPooLqTK1SANSNeTR63GbGwabTKEkuS7

Update: It turns out that bhunt discovered the fix at roughly the same time as pooler.  Donations to pooler's address will be split with bhunt.

Thank you to pooler once again. Special mention to bhunt89 also. We really appreciate your hard work!
sr. member
Activity: 332
Merit: 250
June 03, 2013, 05:56:23 PM
#18
defiantly

I stopped reading here.

that is awkward sorry about my horrible spelling. No need to be a smart ass about it tho...
sr. member
Activity: 435
Merit: 250
June 03, 2013, 05:44:55 PM
#17
defiantly

I stopped reading here.
full member
Activity: 168
Merit: 100
June 03, 2013, 05:37:59 PM
#16
only LTC stratum servers have this vulnerability or any BTC pool also struggles from this?


i guess that some btc pools based on https://github.com/slush0/stratum-mining can be affected by this if they don't use difficulty 1

i am not so sure about that as I looked through the commits of the viperaus fork and this bug is due to sections of code being stripped from the starting code by the viperaus fork.
newbie
Activity: 23
Merit: 0
June 03, 2013, 05:01:43 PM
#15
only LTC stratum servers have this vulnerability or any BTC pool also struggles from this?


i guess that some btc pools based on https://github.com/slush0/stratum-mining can be affected by this if they don't use difficulty 1
full member
Activity: 168
Merit: 100
June 03, 2013, 04:09:12 PM
#14
Awesome work Pooler.  Once again you have done an outstanding job.

To be clear, WeMineLTC is not affected by this bug.  We DO NOT use the viperaus fork, our stratum backend is completely custom.  We had our stratum server working more than a month before viperaus scrypt stratum software was working.  I have read ppl saying we use viperaus several times and this is just not true.

As for our exploit that we announced on 5/29, after we found the exploit we tested the viperaus code and confirmed it had the same bug and we wanted pools to know about it, this seems to have ppl thinking that is the code we use.

sr. member
Activity: 263
Merit: 250
June 03, 2013, 04:07:00 PM
#13
only LTC stratum servers have this vulnerability or any BTC pool also struggles from this?


Any stratum scrypt pool based on this code could be vulnerable.  So that could be LTC or any of those scrypt-based scam coins.
legendary
Activity: 1862
Merit: 1011
Reverse engineer from time to time
June 03, 2013, 04:03:30 PM
#12
only LTC stratum servers have this vulnerability or any BTC pool also struggles from this?

Just this one I think.
sr. member
Activity: 350
Merit: 250
June 03, 2013, 04:02:50 PM
#11
only LTC stratum servers have this vulnerability or any BTC pool also struggles from this?
legendary
Activity: 1484
Merit: 1026
In Cryptocoins I Trust
June 03, 2013, 04:00:40 PM
#10
Awesome, glad a fix was found.  Smiley
sr. member
Activity: 263
Merit: 250
June 03, 2013, 03:53:33 PM
#9
https://github.com/viperaus/stratum-mining/pull/4
Yet again, pooler saves the day for dozens of other scrypt pools.

I hope you other pools appreciate his work.  Please consider donating to him.  LTCPooLqTK1SANSNeTR63GbGwabTKEkuS7

Update: It turns out that bhunt discovered the fix at roughly the same time as pooler.  Donations to pooler's address will be split with bhunt.
sr. member
Activity: 263
Merit: 250
June 03, 2013, 02:10:42 PM
#8
One of the developers might have found the new vulnerability.  They are testing a fix now. Not identifying them so people won't bother them.  They need to get this right.
sr. member
Activity: 332
Merit: 250
June 02, 2013, 09:49:16 PM
#7
This sounds like the same vulnerability that WeMineLTC released info on a few days ago.

Litecoinforums are down, but here's a bitcointalk link about it:

https://bitcointalksearch.org/topic/annimportant-vulnerability-in-stratum-mining-fix-your-pools-asap-220641

Its a new exploit but it seems to have the same affect as that issue. The fix has been applied to the pools experiencing this also which is why i need more help.
sr. member
Activity: 332
Merit: 250
June 02, 2013, 09:48:15 PM
#6
Pool owners running stratum from viperaous or startum etc.. you may be susceptible to a new attack this has been noted on a few pools recently. This may not be affecting all pools but it is defiantly worth a mention.

here's the issue a significant fake hash rate may be counted as valid instead of rejected by the vulnerable pool server. I am working with a bunch of pool operators as well as the litecoin dev team at the moment to find the cause of this issue.
I Believe the attacker is able to trick the server into accepting shares at a lower difficulty then the server sends out thus causing their hash rate to spike. I am not 100% sure on this which is why i make this post if you think you pool is affected please join us

Here is what i have suggested so far. Disabling vardiff code and setting the share difficulty cap at 32.

Please take note.
Any pools that has custom coded stratum software will not be affected by this bug this is for pools that are using the same codebase as each other.
I would also like to mention that there is NO issue with the LTC network at all! this is all to do with attacks and exploits on pool software.

if you're a pool op, join us on #unitedminers-2 on freenode.

Is this exploit fixed on givemeltc? Noticed my payouts in the last 2 days are about 15% lower then projected.

We run our own custom software. It did not affect us i left that out of my post because this is not to promote our pool this is to raise awareness on this issue and fix it.
sr. member
Activity: 263
Merit: 250
June 02, 2013, 09:45:37 PM
#5
This sounds like the same vulnerability that WeMineLTC released info on a few days ago.

Litecoinforums are down, but here's a bitcointalk link about it:

https://bitcointalksearch.org/topic/annimportant-vulnerability-in-stratum-mining-fix-your-pools-asap-220641

Not the same exploit.  Related.  It's possible the wemineltc fix only made it better, but wasn't precise enough.  There are other theories.

Note: Litecoin Dev Team lended some help on issue, but pool software is solely the responsibility of pool owners.  It seems that serraz has given time to help analyze this issue even though he doesn't use this pool software.

I suggest that some of the affected pool operators post in this thread to identify cheating IP addresses and payout addresses.
legendary
Activity: 1988
Merit: 1007
June 02, 2013, 09:43:46 PM
#4
I've noticed spikes in some sites as well, and on some pools the earnings have been really wonky the last few days. Hopefully this is resolved soon.
full member
Activity: 126
Merit: 100
June 02, 2013, 09:42:55 PM
#3
Pool owners running stratum from viperaous or startum etc.. you may be susceptible to a new attack this has been noted on a few pools recently. This may not be affecting all pools but it is defiantly worth a mention.

here's the issue a significant fake hash rate may be counted as valid instead of rejected by the vulnerable pool server. I am working with a bunch of pool operators as well as the litecoin dev team at the moment to find the cause of this issue.
I Believe the attacker is able to trick the server into accepting shares at a lower difficulty then the server sends out thus causing their hash rate to spike. I am not 100% sure on this which is why i make this post if you think you pool is affected please join us

Here is what i have suggested so far. Disabling vardiff code and setting the share difficulty cap at 32.

Please take note.
Any pools that has custom coded stratum software will not be affected by this bug this is for pools that are using the same codebase as each other.
I would also like to mention that there is NO issue with the LTC network at all! this is all to do with attacks and exploits on pool software.

if you're a pool op, join us on #unitedminers-2 on freenode.

Is this exploit fixed on givemeltc? Noticed my payouts in the last 2 days are about 15% lower then projected.
Pages:
Jump to: